Policy Insights

Policy Insights analyzes Access Control policies and network traffic to identify opportunities for optimization. It examines traffic patterns and policy configurations, and suggests modifications to improve your security posture.

Key Benefits

Reduces attack surface by making rules more restrictive and eliminating unnecessary traffic permissions
Simplifies access control policies for easier management and auditing

Policy Insights is supported on all Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. configurations (Standalone Configuration in which the Security Gateway and the Security Management Server products are installed and configured on the same server., High Availability, Multi-Domain Server Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS., Smart-1 Cloud).

See Telemetry and Data Processing for information on the data which Policy Insights processes.

Note - Policy Insights is based on self-updatable code. To review the recent changes, see sk183421.

Known Limitations

Policy Insights only analyzes rules that meet these criteria:

The Action is Accept, Ask, or Inform.
The Track column is not set to None.
To create insights in the Source and Destination columns, objects in these columns must be of type Any, Host, Network, Group and Security Gateways / Security Clusters (using IPv4).
Insights that modify the Services & Applications column require that this column contains only these types of objects: tcp/udp services, icmp, rpc and dce-rpc.
In a Multi-Domain environment, only Domain rules are analyzed.

Prerequisites

R82 Jumbo Hotfix Accumulator Take 14 or higher
R82 SmartConsole Releases Build 1055 or higher
Auto-update package (afw_AutoUpdate) version 71 or higher. The auto-update package is usually installed automatically when version and Jumbo Hotfix Accumulator Collection of hotfixes combined into a single package. Acronyms: JHA, JHF, JHFA. requirements are met. For manual installation instructions, see sk183421.
The Management Server and all Log Servers must have internet access.

Activating Policy Insights

Note - Policy Insights does not rely on the Log Sharing or Configuration Sharing settings. Instead, it uploads log telemetry data and Policy Packages, rules, and objects to the Infinity Portal for analysis.

Procedure

Connect your Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. to the Infinity Portal.

See To connect your Security Management Server and Security Gateway objects from SmartConsole to the Infinity Portal.
In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. > Infinity Services view> locate the Policy Insights card:
1. Toggle the switch to On.
2. Accept the Terms and Conditions.
The card status changes from Inactive to Initializing.
Make sure that there is an Insights button in the top-left corner of the Access Control Rule Base All rules configured in a given Security Policy. Synonym: Rulebase..

Notes:

During initialization, the system:
- Uploads policy package information, rules, and network objects to the cloud.
- Sends telemetry data from Log Servers (including log telemetry).
- Prepares the cloud environment for analysis.
After the activation process, the log analysis may take several hours (up to 48 hours in large environments). Therefore, suggestions do not appear immediately.

Important - After activation on a new system with no log history, it takes 90 days before high confidence insights become available. To see preliminary insights sooner, in the Policy Insights window, select Show additional low confidence suggestions.

Insights

Calculation Process

Policy Insights are calculated in Check Point's Infinity Cloud using uploaded policy and telemetry data. The calculation process:

Runs every two weeks
Analyzes traffic patterns against policy configurations
Generates actionable recommendation

Types of Insights

Remove unmatched objects - Identifies objects in rules that never received matching traffic based on log analysis.
- Benefit: Makes rules more restrictive by removing unnecessary objects.
- Result: Prevents unauthorized traffic from passing through.

Replace existing objects - Identifies overly broad objects that can be replaced with more specific alternatives.

For example: A network object with only one IP address that receives traffic. Replacing an object with a more specific one reduces attack surface while maintaining legitimate access.

Confidence Level

High Confidence Insights

High confidence insights are based on rules that:

Have telemetry logging data covering at least 90 consecutive days,
Were not modified in the past 90 days.

Low Confidence insights

Insights that do not meet one or both these criteria.

By default, low confidence insights are not displayed in SmartConsole. To see low confidence insights, select the Show additional low confidence suggestions check box.

Best Practice - Review low confidence suggestions carefully before implementing them.

Security Impact

The insight’s security impact is calculated according to the proposed change in the rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session.. For example:

Removing one open port from a rule has a low security impact
Replacing “Any” in the Source column with a single host IP address has a high security impact.

Policy Insights utilizes the security impact score to focus on insights that are more significant and hide insights with negligible impact.

High-impact insights with a high confidence level are marked in SmartConsole with a star icon next to them.

Managing Policy Insights

To view insights for a Policy Layer

In SmartConsole, go to the Security Policies view > Access Control.
Click the Insights button at the top-left corner.

To view insights for a specific rule

In SmartConsole, go to the Security Policies view > Access Control.
Select the required rule.
In the bottom pane, click the Insights tab.
Click the Open button to open the Policy Insights window.

Available Actions

For each insight, you can select one of these options:

Apply - Implement the suggested change in the Rule Base. You must publish your session for the change to take effect.
Decline - Reject the insight. The insight is moved to the Declined suggestions section, and you can reuse it from there.

To use a suggestion from the Declined suggestions section
1. Select the required suggestion and click the Undo decline button.
2. In the Suggestions section, select the required suggestion and click Apply.
3. Publish your changes and Install Policy.
Decide later - Move the suggestion to the Decide later section. The suggestion remains available for use in the future. This is useful for insights requiring additional analysis.

To use a suggestion from the Decide later section
1. Select the required suggestion and click the Move back button.
2. In the Suggestions section, select the required suggestion and click Apply.
3. Publish your changes and Install Policy.

Telemetry and Data Processing

Policy Insights uses log telemetry to determine traffic patterns without the need to send complete logs to the cloud.

When Policy Insights is active, the log telemetry service scans all logs, and processes only the relevant logs and fields that are required for Policy Insights calculation.

This reduces the volume of data sent to the Infinity Portal for further processing.

Collected data fields:

Field	Description	Example
`service`	Connection (service destination port)	443
`calc_service`	Calculate service name	https
`proto`	Protocol number	6
`src`	Source IP address	192.168.1.112
`dst`	Destination IP address	23.227.38.74
`action`	Rule match action	Accept
`orig`	Gateway Origin	cp_mgmt
`time`	Log time (by day)	2025-06-18T00:00:00:000
`rule_name`	Name of the Access Control rule (match table)	Clean up
`rule_action (by layer)`	Rule action by layer (match table)	("Accept")
`rule_uid`	Rule ID in the Access Control policy to which the connection was matched (match table)	["0E3B6901-8AB0-4b1e-A317-8BE33055FB44"]
`layer_match_table`	Layer ID (table)	["024b3a8f-b24e-4df8-b3ee-17009886dad5"]
`count`	Connection number	301

In addition to log telemetry, Policy Insights also uploads policy package information, rules, and network objects to the cloud. Data is stored and processed according to the Infinity Portal’s “region” configuration.

For more information on compliance and privacy, see Trust-Point.

Background Activities

Policy Insights works in the background of the Security Management Servers and Log Servers.

It uses the Management API and Infinity Portal API to do these activities, and generates audit logs which record these actions:

Periodically check whether Policy Insights is active and licensed.
Periodically check when the next calculation is supposed to take place in the cloud and upload the latest policy packages, rules, and objects to the cloud.
Send log telemetry data to the cloud.

The Policy Insights Window

In each category in the Policy Insights window, you can see the latest date on which the presented information is based.

The number in each category represents the number of suggestions for this category.

Next to each suggestion, one of these options appears:

: Recommended - Suggestions with high security impact and high confidence.
No icon - Suggestions with security impact but no conclusive confidence due to limited data.
: Low Confidence - Not enough logs and time to have conclusive confidence. For example, new rules, rules that changed recently, or other cases when data is limited.

To export the information in the Policy Insights window as a CSV file. Click the Export to CSV button, at the bottom left corner of the Policy Insights window.

Filtering Insights

You can filter the suggestions based on these categories:

Recommended (the default option) - Suggestions with the highest security impact. The insight’s security impact is calculated according to the proposed change in the rule. This enables Policy Insights to focus on more significant insights and hide those with low impact.

High-impact insights with a high confidence level are marked in SmartConsole with a star icon.
All - Valuable suggestions.

Show additional low confidence suggestions - When you select this checkbox, it shows suggestions with low confidence, in addition to the Recommended and All suggestions. Low confidence suggestions are for new rules, rules that changed recently, or other cases when data is limited. These suggestions are not displayed by default.